• August 24 - 17:31. All the exams are now graded and lie in student office. Hopefully, you will receive your grades soon. As there was only a small number of exams, please contact Elena if you want to review your exam or discuss the grade.
  • August 24. The re-re-exam (and solution) are now online. You can find them on the examination page.
  • There will be an extraordinary exam on August 24th morning slot (8:30 - 12:30)!. See more information on the examination page.
    Take away: try to understand the solutions of the last 2 exams, re-do the weekly exercises and go though the course slides again. Good luck! :)
  • The re-exam view will take place on Monday the 8th from 11.30 to 12.30 in room EDIT 5128 (same room as last time).
    We cannot guarantee that the grades will be published before that date due to a missing signature, in any case you are all welcome to view your exam!
  • April 11 - 17:11. We updated the solution, thanks to the student who noticed the typo!
  • The re-exam (and solution) are now online. You can find them on the examination page.
  • The re-exam is on April the 11th from 8.30 to 12.30. See more information on the examination page.
  • January 27. Due to some slow bureaucratic procedure, the grades for the Assignments will be confirmed in Ladok next week.
  • Exam review is on Thursday the 26th of January in room EDIT 5128 - from 12.00 to 13.00. ** Don't forget to bring an ID card. **
    All students are welcome to come and have a look at the exams, and get feedback! :)
  • The exam (and solution) are now online. You can find them on the examination page.
  • We remind you that the 6th exercise session is moved to 10:00-11:45.
    The 13th lecture will be replaced with the exercise session.
  • Exercise Session #6 : reply to the survey on GoFormative (Code: MHGG739)
  • December 5. Uploaded a (hopefully) typo-free version of the slides for the lecture 9,10,11 and lecture 12. Thank you for your patience.
  • December 1. Wissam's office hours on Monday 5 will be from 10.00 to 12.00.
  • November 25. The third assignment is online!
  • Exercise Session #4 : reply to the survey on GoFormative (Code: JRUM724)
  • November 21. Uploaded a (hopefully) typo-free version of the slides for the lecture 7 and lecture 8. Thank you for your patience.
  • November 18. The second assignment is online! Updated version.
  • November 14. Before Wednesday 16 November at noon (12:00), if you don't have a partner for the programming assignment , please send an email to Elena with subject pairing-up for the programming assignment and we will try to find a partner for you. All the request after November 16 will not be considered and you will have to solve the programming assignment alone.
  • November 14. Exercise Sheet #3 is online.
    Uploaded a (hopefully) typo-free version of the slides for the lecture 6. Thank you for your patience.
  • November 11. The programming assignment is online!
    Uploaded a (hopefully) typo-free version of the slides for the lecture 5. Thank you for your patience.
  • November 09. Uploaded a (hopefully) typo-free version of the slides for the lecture 4 and the lecture 5. Thank you for your patience.
  • November 08. You can find the survey for the next exercise session on Carlo's webpage
  • November 04. The first assignment is online!
    Uploaded a (hopefully) typo-free version of the slides for the lecture 2 and the lecture 3. Thank you for your patience.
  • November 03. Uploaded the OTP security proof done during the 2nd lecture
  • The course starts on the 1st of Nov. Also the exam date is already announced and it is on the 12th of January 2017 at 14:00-18:00.
    Last day to sign up for the exam is on the 21st of Dec. 2016
  • September 15. Welcome to the Cryptography course (TDA 352 - DIT 250) web site.
  • September 12. First version of web site for autumn 2016.
  • Get ready for the exercise sessions before attending the session.


Lectures are Tuesdays 10:00-12:00 in KA and Fridays 10:00-12:00 in HA3. See the schedule for details.

Lecture # Week # Date (mmdd) Room Topic (slides) Add. Material Stallings Katz-Lindell
1 1 1101 KA Introduction - Historical Ciphers Yes 1.1, 2.1 - 2.4 1.1 - 1.3
2 1 1102 HA3 OTP, semantically security, stream ciphers, PRG - OTP Semantic Security Proof Yes
Formal Proof for Shannon's Theorem
and Perfect Secrecy of the OTP (up to Sec. 3)
2.1, 2.2, 7.1, Add Material 1.4, 2, 3.3.1
3 1 1104 HA3 PRG/PRF/PRP, Block ciphers (DES/AES/CBC) 3.1 - 3.5, 5.2 - 5.6, 7.1, 6.2, 6.3 6.2, 3.5.1, 3.6.2
4 2 1108 KA Block Cipher and their security, intro Pub. Key Crypto Yes 8.1, 9.1, 9.2, 14.5 3.4.2, 10.4, 8.1.1, 8.1.2, 11.1, 11.2.0, 11.5.1, 12.4
5 2 1111 HA3 PKCryptography, PKEncryption, Signatures (RSA, EEA, modular inverses, Primality Test) Yes 4.1 - 4.3, 8.1, 8.3, 9.1 - 9.2 4.1.1 - 4.1.2, 8.2.2, 11.5.1, 11.2, B.1 - B.2
6 3 1115 KA Number Theory and Group Theory for Public-Key Cryptography Yes 2.5, 2.7, 4.4, 5.1, 8.1 - 8.3, 8.5, 9.2 7.1.1, 7.1.3, 7.1.4, 7.2
7 3 1118 HA3 RSA, ElGamal, Security (DLog, Factoring) + Exercises 8.5, 10.2 8.3.1, 8.3.2, 9.0, 11.4.1
8 4 1122 HA3 DH, KeyExchange Protocol, Fiat Shamir (some exercises), quick look Sigma-protocol and Zero-knowledge Yes 10.1 10.3
9 4 1125 HA3 Secure MultiParty Computation, Secret Sharing Yes
10 5 1129 HC2 Hash function, Birthday Paradox, One Way function 11.1, 11.3, 11.4, 13.1, 13.6 4.1, 5.1, 5.4.2, 12.1, 12.2, 12.4
11 5 1202 HA3 Data integrity / Authentication Digital Signatures, MACs 11.3, 11.5, 12.1-12.4, 13.2 4.2, 4.3, 5.3, 5.4
12 6 1206 HC2 Additional topics: Elliptic curves cryptography
14 7 1213 HA3 Course Recap (quizzes, old exams, etc.)

The course has used material from the Cryptography I course at Stanford University.


Course responsible, lectures, exam responsible

Elena Pagnin
Email: elenap "at"
Office: Room 5123, EDIT building.
Office hours: Contact via email.
You can also send me an email to arrange a meeting.
Katerina Mitrokotsa
Phone: +46 31 772 1040
Email: aikmitr "at"

Tutors (home assignments, laborations and exercise sessions)

Wissam Aoudi
Email: wissam.aoudi "at"
Office: Room 5121A , EDIT building.
Office hours: Contact via email.
Carlo Brunetta
Email: brunetta "at"
Office: Room 5125, EDIT building.
Office hours: Contact via email.
You can also send me an email to arrange a meeting.
Hamid Ebadi
Email: hamide "at"
Office: Room 5447, EDIT building.
Office hours: Contact via email.

Student representatives

Course Evaluation: Meeting 2

Rasmus Andersson
Email: rasan "at"
Vidar Eriksson
Email: vidar "at"
Ibrahim Fayaz
Email: fayaz "at"
Raphael Isemann
Email: isemann "at"
Kruthika Suresh Ved
Email: kruthika "at"


Cryptography is becoming increasingly important to enhance security in connection with data storage and communication and various kinds of electronic transactions. This course aims to give students

  • an overview of basic cryptographic concepts and methods
  • a good knowledge of some commonly used cryptographic primitives and protocols
  • a sound understanding of theory and implementation, as well as limitations and vulnerabilities
  • an appreciation of the engineering difficulties involved in employing cryptographic tools to build secure systems

Course content

Classical cryptosystems

We will cover only a small selection of classical (paper-and-pencil) cryptosystems, including substitution and transposition (permutation) ciphers as Vigènere. You should know how these work and how to cryptanalyse them. Among tools here you should know how to make use of mono-, bi- and n-gram frequencies, the Kasiski test and coincidence index.

You should also know the principles behind rotor machines such as Enigma and have an understanding of the importance of these machines and their cryptanalysis during World War II.

This material is covered in Chapter 2 of the course book. There is also a large number of web sites devoted to these topics, easily found by Google search.

Block ciphers

We discuss SP networks and Feistel networks as general constructions for block ciphers and examplify concrete constructions with DES and AES/Rijndael. We also discuss modes of operation, including at least ECB, CBC and CTR mode and how to combine encryption and MAC authentication. Finally, we discuss key management for symmetric encryption. Book references: chapters 3, 5 and 6. MAC's are covered in chapter 12.

Public-Key Cryptography

We will discuss the basic ideas of public-key cryptography as based on one-way functions with trapdoors. Then we will discuss ElGamal and RSA encryption/decryption in detail, on the way reviewing necessary number theory, (modular arithmetic, Chinese remainder theorem). Hash functions, in particular iterative constructions such as MD5 and SHA-1 and their properties are discussed before we turn to use of RSA for digital signatures. Diffie-Hellman key exchange and the discrete logarithm problem is covered. We will also discuss prime number generation, in particular the Rabin-Miller test.

A brief overview on algorithms for factoring and discrete logs is included to give an understanding of how recommended key lengths are chosen. The analysis of algorithms for discrete logs will also suggest the use of other cyclic groups than (subgroups of) Zp for cryptographic purposes. We will introduce elliptic curves as an important example.

This is covered in chapters 9, 10 and 13 of the course book.

Stream ciphers

In this brief part we discuss Linear Feedback Shift Registers as a way of implementing stream ciphers and analyze their properties and give some examples. We also discuss RC4. Stream ciphers are discussed in chapter 7, but LFSR's are not mentioned.

Cryptographic Protocols

Cryptographic primitives need to be embedded in protocols in order to provide useful services. We will discuss a number of such services as examples; in particular protocols for key management and identification. We will also discuss some examples of broken protocols. Book reference: chapters 14 and 15.

Information theory

We will briefly discuss probabilistic models of encryption and Shannon's notion of perfect security. We discuss Shannon's bound on key length for perfect security and show that the one-time pad achieves this. We introduce the notion of entropy and redundancy of a language and show how the redundancy of the plaintext language affects the amount of ciphertext that is needed for unique decryption.

This material is not covered in the course book.